nixos/lxc: apply recommendations from distrobuilder
This commit is contained in:
parent
582a78f910
commit
ecf7441d25
@ -88,6 +88,16 @@ in
|
||||
};
|
||||
'';
|
||||
};
|
||||
|
||||
privilegedContainer = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = lib.mdDoc ''
|
||||
Whether this LXC container will be running as a privileged container or not. If set to `true` then
|
||||
additional configuration will be applied to the `systemd` instance running within the container as
|
||||
recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -146,12 +156,31 @@ in
|
||||
};
|
||||
|
||||
# Add the overrides from lxd distrobuilder
|
||||
systemd.extraConfig = ''
|
||||
[Service]
|
||||
ProtectProc=default
|
||||
ProtectControlGroups=no
|
||||
ProtectKernelTunables=no
|
||||
'';
|
||||
# https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630
|
||||
systemd.packages = [
|
||||
(pkgs.writeTextFile {
|
||||
name = "systemd-lxc-service-overrides";
|
||||
destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";
|
||||
text = ''
|
||||
[Service]
|
||||
ProcSubset=all
|
||||
ProtectProc=default
|
||||
ProtectControlGroups=no
|
||||
ProtectKernelTunables=no
|
||||
NoNewPrivileges=no
|
||||
LoadCredential=
|
||||
'' + optionalString cfg.privilegedContainer ''
|
||||
# Additional settings for privileged containers
|
||||
ProtectHome=no
|
||||
ProtectSystem=no
|
||||
PrivateDevices=no
|
||||
PrivateTmp=no
|
||||
ProtectKernelLogs=no
|
||||
ProtectKernelModules=no
|
||||
ReadWritePaths=
|
||||
'';
|
||||
})
|
||||
];
|
||||
|
||||
# Allow the user to login as root without password.
|
||||
users.users.root.initialHashedPassword = mkOverride 150 "";
|
||||
|
Loading…
Reference in New Issue
Block a user